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Description 

COMPUTER SYSTEM, COMPUTER PROGRAM, AND ADDITION METHOD 
BACKGROUND OF THE INVENTION 

1. Technical Field of the Invention 

0001 

The present invention relates to tamper-resistant software 
technology that makes it difficult to analyze a computer program. 

2 . Bae kground -Descriptian of the Related Art 

0002 

In recent years, the use of encryption programs (encryption 
software) in computer systems containing processors that operate 
in accordance with computer programs has become common in applications 
such as communicating secret information and authenticating 
communication partners. 

In such applications, unauthorized use may occur if software 
containing keys, encryption algorithms, and the like is installed 
in its original state on a computer system and the installed software 
is analyzed. To solve this problem, Patent Document 1 discloses a 
technology that converts operations and data fields so as to make 
it difficult to infer original operations and data. 

0003 

Suppose, for example, that there is an addition program that 
performs an addition on input data a and b, and outputs the result 
a + b. 

The integers kx and k 2 are stored in advance and used to convert 
the input data a and b to t a = k x x a + k 2 and t b = ki x b + k 2 , respectively. 
Note that u x" is an operator denoting a multiplication. 




0004 

Next, tab = t a + t b is calculated from t a and t b . 
Also, c = (t^ - 2k 2 )/k 1 is calculated from tab- 
Next, an operation result c is output. 
5 The above process gives 

tab = t a + tb 

= kx x a + k 2 + ki x b + k 2 

= ki x (a + b) + 2k 2 which gives 

(tab - 2k 2 ) /ki = a + b 

10 0005 

Thus c = a + b, and the result of the addition of a and b is 
obtained by the addition program. 
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J Diocloo ujee— BRIEF SUMMARY OF THE INVENTION 

Problem that present invention aims to solve 

2 



0006 

A problem with the method of the conventional example is that 
there is a risk that the operation before conversion will be inferred 
to be addition. This is because the operation in the domain after 
conversion is addition, and is therefore of the same type as the 
operation before the conversion . Thus , if the sections of the program 
performing the addition are discovered by a person attempting to 
analyze the program, there is a danger that the code around these 
sections will be intensively analyzed to reveal the nature of the 
conversion used. An operation other than addition should therefore 
be used to ensure, as far as possible, that the true nature of the 
operation before conversion is not discovered. 

0007 

An object of the present invention is to provide a computer 
system, a program, an addition method, and a recording medium which 
make it more difficult to analyze the content of operations . 

Means to solve the problem 
0008 

In order to solve the above problem, the present invention 
is a computer system for adding two or more integers, including: 
a memory unit operable to store a program composed of a plurality 
of instructions; and a processor operable to fetch each instruction 
in turn from the program stored in the memory unit, and decode and 
execute each fetched instruction—^ wherein t The program includes 
a conversion instruction set to have the processor generate elements 
belonging to a group G by implementing a power operation in the group 
G using each integer, an operation instruction set to have the processor 



generate an operation value by implementing a basic operation other 
than addition using all the generated elements, and an inverse 
conversion instruction set to have the processor generate a sum value 
of the integers by implementing, in the group G or a proper subgroup 
5 S of the group G, an inverse power operation on the operation value. 

Effects of the Invention 
0009 

With this construction, it is possible to conceal the operation 
10 itself as well as the values used in the operation. 

The computer system may securely and reliably manipulate target 
information, the program may further include a security instruction 
set to have the processor implement security processing on the target 
information, and the security instruction set may have the processor 
15 implement an addition operation using the conversion instruction 
set, the operation instruction set, and the inverse conversion 
instruction set. 
0010 

Here, the group G may be a multiplicative group of an integer 
2 0 residue ring, the conversion instruction set may have the processor 
implement an exponentiation to each of the integers , and the operation 
instruction set may have the processor implement a multiplication 
of the elements . 

With this construction, the operation performed after the 
25 conversion can be concealed since it is a multiplication rather than 
an addition. 
0011 

Here, the group G may be a multiplicative group of Z/nZ for 



which n = p m x q, where p and q are primes and m is a positive integer, 
the conversion instruction set may have the processor implement 
exponentiations to each of the integers , and the operation instruction 
set may have the processor implement a multiplication of the elements . 
5 With this construction, the operation performed after the 

conversion can be concealed since it is multiplication rather than 
an addition. 
0012 

Here, the subgroup S may be an anomalous elliptic curve group, 
10 the conversion instruction set may have the processor implement a 
multiplication on the elliptic curve using each integer, and the 
operation instruction set may have the processor implement an addition 
of the elements on the elliptic curve. Moreover, the group G may 
be a direct product of two anomalous elliptic curve groups, the 
IB conversion instruction set may have the processor implement a 
multiplication on the elliptic curve using each integer, and the 
operation instruction set may have the processor implement an addition 
of the generated elements on the elliptic curve. 
0013 

20 With this construction, the operation performed after the 

conversion can be concealed since it is addition on an elliptic curve, 
rather than an addition of integers. 

Here, the inverse conversion instruction set may include a 
reduction portion to have the processor reduce each element belonging 
25 to the group G to an element belonging to the subgroup S. 
0014 

With this construction, the operation by the inverse conversion 
instruction set is easily carried out. 



The computer system may encrypt or decrypt target information 
based on key information. In this case, the security instruction 
set may have the processor encrypt or decrypt the target information 
based on the key information, the encryption and decryption being 
5 performed using the addition operation to add the key information 
or second key information obtained from the key information, to the 
target information or to second target information obtained from 
the target information, and in the addition operation, the conversion 
instruction set, the operation instruction set, and the inverse 
10 conversion instruction set may be used to add the key information 
or the second key information, to the target information or to the 
second target information. 
0015 

With this construction, the values and operations used in the 
15 additions which relate to encryption or decryption can be concealed. 

The computer system may implement a digital signature or digital 
signature verification on the target information based on key 
information. Here, the security instruction set may implement the 
digital signature or digital signature verification on the target 
20 information based on the key information, making use of the addition 
operation to add the key information or second key information obtained 
from the key information to the target information or to second target 
information obtained from the target information, and in the addition 
operation, the conversion instruction set , the operation instruction 
25 set and the inverse conversion instruction set may be used to add 
the key information or the second key information to the target 
information or to the second target information. 
0016 



With this construction, the values and operations used in the 
additiono adding relating related to the digital signature or digital 
signature verification can be concealed. 

As described above, the construction of the present invention 
is advantageous as it enables concealment of the operation itself 
as well as the values used in the operation. 

BRIEF DESCRIPTION OF THE DRAWINGS 

0017 

FIG. 1 shows a construction of a content transmission system 

10; 

FIG. 2 is a block diagram showing a construction of a content 
server 100; 

FIG. 3 is a flow- chart describing a content transmission program 

131; 

FIG. 4 is a flow-chart describing a content encryption program 

132; 

FIG. 5 shows the structure of an encryption program 133; 

FIG. 6 is a flow-chart describing the content of an encryption 
control module 141 ( cont. continued in FIG. 7) ; 

FIG. 7 is a flow-chart describing the content of the encryption 
control module 141 ( cont. from continuation of flow-chart from FIG 
6) ; 

FIG. 8 shows the construction of a personal computer 200; 
FIG. 9 is flow-chart describing a content receiving program 

231; 

FIG. 10 is a flow-chart describing a content decryption program 

232; 



FIG. 11 shows the structure of a decryption program 234; 

FIG . 12 is a flow- chart describing the content of aRr^decryption 
control module 241 ( cont. continued in FIG. 13) ; 

FIG. 13 is a flow-chart describing the content of the decryption 
control module 241 ( cont. continuation of flow- chart from FIG. 12) ; 

FIG. 14 shows the structure of an addition module 243; 

FIG. 15 is a flow-chart showing an addition operation by the 
addition module 243; 

FIG. 16 shows the structure of an addition module 501; 

FIG. 17 is a flow-chart ohows showing an adding operation by 
the addition module 501; 

FIG. 18 shows the structure of an addition module 601; and 

FIG. 19 is a flow- chart showing an adding operation by the 
addition module 601. 

DETAILED DESCRIPTION OF THE INVENTION 
Best Mode for Carrying Out the Inventio n 

0018 

1. Content transmission system 10 

The following describes a content transmission system 10 as 
a first embodiment of the present invention. 

Construction of content transmission system 10 

The content transmission system 10 is constructed from a content 
server 100, a transmission server 300a, a broadcast device 300b, 
a BD manufacturing device 300c, a personal computer 200, a digital 
broadcast receiver 200a, and a BD player 200b, as shown in FIG. 1. 
0019 

The content server 100 stores movie content composed of video 

8 



and audio data, generates encrypted content by encrypting the stored 
content in accordance with a request from the transmission server 
300a, and transmits the generated encrypted content to the 
transmission sever 300a which is connected via an exclusive line 
5 21. The transmission server 300a receives the encrypted content, 
and transmits the encrypted content to the personal computer 200^ 
to which the transmission server 200 is connected^ via the Internet 
20. The personal computer 200 receives the encrypted content, 
generates decrypted content by decrypting the received encrypted 
10 content, and outputs video and sound by playing back the generated 
decrypted content. 
0020 

The content server 100 similarly generates encrypted content 
in accordance with a request from the broadcast device 300b, and 

15 transmits the generated encrypted content to the broadcast device 
300b which is connected via an private line 22 . The broadcast device 
3 00b receives the encrypted content , broadcasts the received encrypted 
content on a carrier wave. The digital broadcast receiver 200a 
receives the broadcast wave, extracts the encrypted content from 

20 the received broadcast wave , generates decrypted content by decrypting 
the extracted encrypted content , and outputs video and sound by playing 
back the generated decrypted content. 
0021 

The content server 100 similarly generates encrypted content 
25 in accordance with a request from the BD manufacturing device 300c, 
and transmits the generated encrypted content to the BD manufacturing 
device 300c which is connected via a private line line 23. The BD 
manufacturing device 300c receives the encrypted content, and writes 



the received encrypted content in a recording medium 400. The recording 
medium 400 with the encrypted content written therein is marketed 
and sold to a user. When the user loads the recording medium 400, 
the BD player 200b reads the encrypted content from the recording 
5 medium 400, generates decrypted content by decrypting the read 
encrypted content, and outputs video and sound by playing back the 
generated decrypted content . 

0022 

10 1.2 Content server 100 

The content server 100 is a computer system constructed from 
a microprocessor 101, a hard disk unit 102, a memory unit 103, an 
input control unit 104, a display control unit 105, a communication 
unit 106, and the like, as shown in FIG. 2. The input control unit 

15 104 and the display control unit 105 are connected to a keyboard 
107 and a monitor 108, respectively. The communication unit 106 is 
connected to the transmission server 300a, the broadcast device 300b 
and the BD manufacturing device 300c via the exclusive lines 21, 
22 and 23, respectively. 

20 0023 

The hard disk unit 102 and the memory unit 103 have various 
programs stored therein, and the content server 100 achieves a portion 
of its functions by the microprocessor 101 operating according to 
the programs . 

25 

(1) Hard disk unit 102 

The hard disk unit 102 stores content 120, content 121, content 
122,..., key 123, key 124, and key 125,..., as shown in FIG. 2, along 



with other programs not depicted. The hard disk unit 102 is provided 
with regions for storing encrypted content 126, encrypted content 
127, encrypted content 128.... 
0024 

5 The content 120, content 121, content 122..., correspond to the 

key 123, key 124, key 125,..., respectively, and further correspond 
to the encrypted content 126 , encrypted content 127 , encrypted content 
128,... respectively. 

Each of the content 120, content 121, content 122,..., is data 
10 consisting of video and audio data which have been compression coded 
at high efficiency. 
0025 

The key 123, key 124, key 125,... are encryption keys used for 
generating the encrypted content 126, encrypted content 127, and 
15 encrypted content 128 by applying an encryption algorithm to the 
content 120, content 121, content 122.... Each of the key 123, key 
124, and key 125 is 64 bits in length. The encryption algorithm is 
described in a later section. 
0026 

20 The encrypted content 126, encrypted content 127, encrypted 

content 128... are the encrypted data generated by applying the 
encryption algorithm to the content 120, content 121, content 122... 
respectively . 

25 (2) Memory unit 103 

The memory unit 103 stores a content transmission program 131, 
content encryption program 132, encryption program 133, and 
transmission program 134 , as shown in FIG . 2 , along with other programs 

11 



not depicted. Each of these programs is composed of a combination 
of instruction codes in machine language format . The machine language 
format can be decoded and executed by the microprocessor 101. 
0027 

5 The following is a description of the content of each program. 

To ensure that the particulars of each program are easily 
understandable, that content of each program is represented using 
a flow-chart rather than instructions in machine language format. 

10 (a) Content transmission program 131 

The content transmission program 131 is composed of instruction 
code sets S101, S102 , S103 , and S104 , which are arranged in the stated 
order in the content transmission program 131, as shown in FIG. 3. 
Each instruction code set includes one or more instruction codes. 
15 0028 

The instruction code set S101 includes a plurality of 
instruction codes that indicates to receive a specif ication of content 
from an administrator of the content server 100, or to receive of 
a specification of content from a transmission destination device 
20 for the content. 

The instruction code set S102 includes a plurality of 
instruction codes that indicates to receive a specification of the 
transmission destination device for the content. 

0029 

25 The instruction code set S103 includes a plurality of 

instruction codes that indicates to specify content indicated by 
the accepted or received specification, to call the content encryption 
program 132 , and then to write , as the encrypted content 126 , encrypted 



content generated by the content encryption program 132 in the hard 
disk unit 102 . 

The instruction code set S104 includes a plurality of 
instruction codes that indicates to specify the transmission 
5 destination device of the received specification and the encrypted 
content generated and written in hard disk unit 102, and to call 
the transmission program 134 . By executing the instruction code set 
S104 , the generated encrypted content is transmitted to the specified 
transmission destination device. 

10 

0030 

(b) Content encryption program 132 

The content encryption program 132 is composed of instruction 
code sets Sill, S112, S113, S114, S115, andS116, and these instruction 
15 code sets are arranged in the stated order in the content encryption 
program 132, as shown in FIG. 4 . Each instruction code set includes 
one or more instruction codes. 
0031 

The instruction code set Sill includes a plurality of 
20 instruction codes that indicates to assign u -64" as an initial value 
to a read point. The read point indicates a data position in bits 
in the specified content. The instruction codes also indicate to 
read a key corresponding to the specified content from the hard disk 
unit 102. The read point with the initial value of "-64" indicates 
25 a position outside the content . The initial value of u -64" is assigned 
to the read point so that when the later- described instruction code 
set S122 is executed for the first time the read point indicates 
a position at the head of the content. In the first execution of 



the later-described instruction code set S122, 64 bits are added 
to the read point, and the read point becomes "0", which indicates 
the head of the content . 
0032 

5 The instruction code set S112 includes a plurality of 

instruction codes that indicates to add 64 bits to the read point, 
and then to read a block of data starting at the position in the 
content indicated by the resulting read point. The plurality of 
instruction codes further indicates to read the block of data from 

10 the position indicated by the read point if the position lies within 
the content, and to output an end code indicating that reading of 
the blocks has ended if the position indicated by the read point 
lies outside the content. Here, one block is data with a bit length 
of 64. 

15 0033 

The instruction code set S113 includes a plurality of 
instruction codes that indicates to end processing by the content 
encryption program 132 if the end code is outputted from the instruction 
code set S112 . The plurality of instruction codes further indicates 

20 to pass control to the next instruction code set S114 if the end 
code is not outputted. 

The instruction code set S114 includes a plurality of 
instruction codes that indicates to call the encryption program 133 
with the read key and the read first block. 

25 0034 

The instruction code set S115 includes a plurality of 
instruction codes that indicates to write the single encrypted block 
generated by the encryption program 133 to the hard disk unit 102 



as a portion of the encrypted content 126. 

The instruction code set S116 includes an instruction code 
that indicates to pass the control to the instruction code set S112. 

0035 

(c) Encryption program 133 

The encryption program 133 is composed of an encryption control 
module 141, an expanded key generation module 142, a rotation module 
A143 , a rotation module B144 , a rotation module C145 , and a rotation 
module D_146, as shown in FIG. 5. 

0036 

Eachmodule is a program composed of a combination of instruction 
codes in a machine language format . The machine language format can 
be decoded and executed by the microprocessor 101. 
Expanded key generation module 142 

The expanded key generation module 142 includes a plurality 
of instruction codes for reception of a 64 -bit key K from a caller 
program, generation of 8 expanded keys Kl, K2, K3, ...,K8 using the 
received key K, and output of the 8 generated expanded keys Kl, K2, 
K3, K8 to the caller program. 

0037 

Note that since description of the method for generating the 
expanded keys is carried in Patent Document 3, it is omitted here. 
Rotation module A_143 

The rotation module A143 includes a plurality of instruction 
codes that indicates indicate to (i) receive 32 -bit data X from the 
caller program, -fee- (ii) perform an operation Rot2 (X) + X + 1 with 
respect to data X, and : te- (iii) output the result of the operation 



to the caller program. 

Rot2 (X) indicates a 2-bit cyclic shift to the left of the 32-bit 
data X. A 2 -bit cyclic shift to the left of the 3 2 -bit data X refers 
to dividing the data X into the 2 most significant bits XI and the 
3 0 least significant bits X2, shifting X2 to the 3 0 most significant 
bits of the data X, and shifting XI to the 2 least significant bits. 
Rotation module B_144 

The rotation module E144 includes a plurality of instruction 
codes that indicate to (i) receive 32 -bit data X from the caller 
program, fee— (ii) perform an operation Rot4 (X) XOR X with respect 
to data X, and fee -(iii) output the result of the operation to the 
caller program. 

0039 

Rot4 (X) indicates a 4-bit cyclic shift to the left of data 
X and XOR indicates an exclusive OR operation. The 4 -bit cyclic shift 
to the left of the 32 -bit data X refers to dividing the data X into 
the 4 most significant bits XI and the 28 least significant bits 
X2, shifting X2 to the 28 most significant bits of the data X, and 
shifting XI to the 4 least significant bits. 

0040 

Rotation module C_145 

The rotation module C_145 includes a plurality of instruction 
codes that indicate to (i) receive of 32 -bit data X from the caller 
program, fee- ( i i ) perform the operation Rot8 (X) XOR X with respect 
to data X, and fee- ( iii ) output the result of the operation to the 
caller program. 

Rot8 (X) indicates an 8-bit cyclic shift to the left of data 
X. An 8 -bit cyclic shift to the left of the 32 -bit data X refers 



to dividing the data X into the 8 most significant bits XI and the 
24 least significant bits X2, shifting X2 to the 24 most significant 
bits of the data X, and shifting XI to the 8 least significant bits. 
0041 

.Rotation module D146 

The rotation module D_146 includes a plurality of instruction 
codes that indicate to (i) receive 32 -bit data X and 32 -bit data 
Y from the caller program, -fee- ( i i ) perform the operation Rotl6 (X) 
+ (X AND Y) with respect to the data X and the data Y, and ^te - (iii) 
output the result of the operation to the caller program. 

0042 

Rotl6 (X) indicates an 16 -bit cyclic shift to the left of data 
X while AND indicates a logical product. A 16 -bit cyclic shift to 
the left of the 3 2 -bit data X refers to dividing the data X into 
the 16 most significant bits XI and the 16 least significant bits 
X2, shifting X2 to the 16 most significant bits of the data X, and 
shifting XI to the 16 least significant bits. 

0043 

Encryption control module 141 

The encryption control module 141 is — compoocd to include 
includes instruction sets S121 to S140 arranged in the stated order 
in the encryption control module 141, as shown in FIG. 6 and FIG. 
7 . Each instruction code set includes one or more instruction codes . 

0044 

The instruction code set S121 includes a plurality of 
instruction codes that indicates to receive a single block of plaintext 
M and the key K from the caller program which called the encryption 
module 141. Note that one block is data with a bit length of 64. 

17 



The instruction code set S122 includes a plurality of 
instruction codes that indicates to call the expanded key generation 
module 142 with the received key K. Execution of the instruction 
code set S122 results in the generation of the 8 expanded keys Kl, 
5 K2 , K3 , ... , K8 . 

0045 

The instruction code set S123 includes an instruction code 
which defines data Ml and an instruction code which defines data 
M2 . The data Ml is the 32 most significant bits of the received plaintext 
10 M, and the data M2 is the 32 least significant bits of the received 
plaintext M. 

The instruction code set S124 includes a plurality of 
instruction codes that indicates to perform an XOR operation on the 
data Ml and the data M2, and to store the result in a variable TMP1. 
15 0046 

TMP1 = Ml XOR M2 

The instruction code set S125 includes a plurality of 
instruction codes that indicates to perform addition of the variable 
TMP1 and the expanded key Kl, and to store the result of the operation 
2 0 in a variable TMP2 . 

TMP2 = TMP1 + Kl 

The instruction code set S126 includes a plurality of 
instruction codes that indicates to call of the rotational module 
A143 with the variable TMP2, and to store the result of the operation 
25 in a variable TMP3 . 
0047 

TMP3 - Rot2(TMP2) + TMP2 + 1 

The instruction code set S127 includes a plurality of 



instruction codes that indicates to call the rotational module B144 
with the variable TMP2 , and to store the result of the operation 
in a variable TMP4 . 

TMP4 = Rot4(TMP3) XOR TMP3 
5 The instruction code set S128 includes a plurality of 

instruction codes that indicates to perform an XOR operation on the 
variable TMP4 and the data Ml, and to store the result in a variable 
TMP5. 

0048 

10 TMP5 = TMP4 XOR Ml 

The instruction code set S129 includes a plurality of 
instruction codes that indicates to take a sum of the variable TMP5 
and the expanded key K2, and to store the result of the operation 
in a variable TMP6 . 
15 TMP6 = TMP5 + K2 

The instruction code set S130 includes a plurality of 
instruction codes that indicates to call the rotation module A143 
with the variable TMP6, and to store the result of the operation 
in a variable TMP7. 
20 0049 

TMP7 = Rot2(TMP6) + TMP6 + 1 

The instruction code set S131 includes a plurality of 
instruction codes that indicate to call the rotation module C145 
with the variable TMP7 , and to store the result of the operation 
25 in a variable TMP8 . 

TMP8 = Rot8(TMP7) XOR TMP7 

The instruction code set S132 includes a plurality of 
instruction codes that indicates to add the variable TMP8 and the 



expanded key K3 , and to store the result of the operation in a variable 
TMP9. 

0050 

TMP9 = TMP8 + K3 

5 The instruction code set S133 includes a plurality of 

instruction codes that indicates to call the rotation module A143 
with the variable TMP9, and to store the result of the operation 
in a variable TMP10. 

TMP10 = Rot2(TMP9) + TMP9 + 1 
10 The instruction code set S134 includes a plurality of 

instruction codes that indicates to call the rotation module A143 
with the variable TMP7 and the variable TMP10 , and to store the result 
of the operation in a variable TMP11. 
0051 

15 TMP11 = Rotl6 (TMP10) + (TMP10 AND TMP7) 

The instruction code set S135 includes a plurality of 
instruction codes that indicates to perform an XOR operation on the 
variable TMP11 and the variable TTVIP1, and to store the result of 
the operation in a variable TMP12 . 
20 TMP12 = TMP11 XOR TMP1 

The instruction code set S136 includes a plurality of 
instruction codes that indicates to add the variable TMP12 and the 
expanded key K4 , and to store the result of the operation in a variable 
TMP13 . 
25 0052 

TMP13 = TMP12 + K4 

The instruction code set 137 includes aplurality of instruction 
codes that indicates to call the rotation module A143 with the variable 



TMP14 , and to store the result of the operation in a variable TMP14 . 
TMP14 = Rot2 (TMP13) + TMP13 + 1 

The instruction code set S138 includes a plurality of 
instruction codes that indicates to perform an XOR operation on the 
5 variable TMP14 and the variable TMP4, and to store the result of 
the operation in a variable TMP15 . 

0053 

TMP15 = TMP14 XOR TMP4 

The instruction code set S13 9 includes a plurality of 
10 instruction codes that indicates to perform an XOR operation on the 
variable TMP15 and the variable TMP12 , and to store the result of 
the operation in a variable TMP16 . 
TMP16 = TMP15 XOR TMP12 

The instruction code set S140 includes a plurality of 

15 instruction codes that indicatco indicate to output a 64 -bit integer 
having the variable TMP15 as its 32 most significant bits and the 
variable TMP16 as its least significant bits, as a ciphertext C, 
to the caller program 
0054 

20 (d) Transmission program 

The transmission program 134 (not depicted) is composed of 
a plurality of instruction codes arranged in order, and includes 
a plurality of instruction codes that indicates to receive the 
specification of data and the specification of the transmission 
25 destination device from the caller program, and to control the 
communication unit 106 to cause the specified data to be transmitted 
to the specified transmission destination device. 
0055 

21 



1.3 Personal computer 200 

The personal computer 200 is composed of a microprocessor 201, 
a hard disk unit 202, a memory unit 203, an input control unit 204, 
a display control unit 205, a communication unit 206, and the like, 
5 as shown in FIG. 8 . The input control unit 204 and the display control 
uni 1 2 0 5 are connected to a keyboard 207 and a moni t or 208, re spec t i ve ly . 
Further, the communication unit 706 is connected to the Internet 
20. 

0056 

10 The hard disk unit 202 and the memory unit 203 have various 

programs stored therein, and the personal computer 200 achieves a 
portion of its functions as a result of the microprocessor 201 operating 
in accordance with the programs . 

Note that descriptions of the digital broadcast receiver 200a 
15 and the BD player 200b have been omitted since the devices have 
constructions similar to that of the personal computer 200. 
0057 

(1) Hard disk unit 202 

The hard disk unit stores the key 222 and is provided with 
20 a region for storing encrypted content 221, as shown in FIG. 8. The 
encrypted content 221 corresponds to the key 222. 

The encrypted content 221 and the key 222 are respectively 
identical to the encrypted content 126 and the key 123 stored on 
the hard disk 102 of the content server 100. 
25 0058 

(2) Memory unit 203 

The memory unit 2 03 stores content reception program 231, 
content decryption program 232, playback program 233, decryption 



program 234 and addition program 235, as shown in FIG. 8. Moreover, 
the memory unit 203 includes a decrypted content region 236. Each 
of these programs is a program composed of a combination of instruction 
codes in machine language format. The machine language format can 
be decoded and executed by the microprocessor 201. 
0059 

The encrypted content is decrypted, and the generated decrypted 
content is temporarily written in the decrypted content region 236. 

The following is a description of the details of the various 
program. To make the details of each program easily understandable, 
each program is represented using a flow-chart rather than 
instructions in machine language format. 

0060 

(a) Content Reception Program 231 

The content reception program 231 is composed of instruction 
code sets S201, S202, S203, and S204 arranged in the stated order, 
as shown in FIG. 9. Each instruction code set contains one or more 
instruction codes . 
0061 

The instruction code set S201 includes a plurality of 
instruction codes that indicates to receive of the specification 
of the content from the user of the personal computer 200. 

The group of instruction codes S202 includes a plurality of 
instruction codes that indicates to acquire of-a content identifier 
identifying the content for which the specif icat ion has been received, 
and to transmit ef-the acquired content identifier to the transmission 
server 300a via the communication unit 206 and the Internet 20. 

0062 



The group of instruction codes S203 includes a plurality of 
instruction codes that indicates to receive the encrypted content 
from the transmission server 300a via the Internet 20 and the 
communication unit 206. Note that the received encrypted content 
is the encrypted content identified by the content identifier. 

The group of instruction codes S204 includes a plurality of 
instruction codes that indicates to write the received encrypted 
content into the hard disk unit 202 as encrypted content 221. 

0063 

(b) Content decryption program 232 

The content decryption program 232 is composed — ef 

inotructio n includes instruction code sets S211, S212, S213, S214, 
S215, S216, S217 and S218 and these instruction code sets are arranged 
in the stated order in the content decryption program 232, as shown 
in FIG. 10 . Each instruction code set contains one or more instruction 
codes . 

0064 

The group of instruction codes S211 includes a plurality of 
instruction codes that indicates to receive a specification of one 
of the encrypted content stored in the hard disk unit 202 from a 
user of the personal computer 200. 

The group of instruction codes S212 includes a plurality of 
instruction codes that indicates to call the playback program 233 
stored in the memory 2 03. Executing the group of instruction codes 
S212 causes parallel execution of the content decryption program 
232 and the playback program 233. 

0065 

The instruction code set S213 includes a plurality of 



instruction codes that indicates to assign "-64" as an initial value 
to a read point indicating a data position in bits in the specified 
encrypted content, and to subsequently read the key corresponding 
to the specified encrypted content from the hard disk unit 202. 
5 The instruction code set S214 includes a plurality of 

instruction codes that indicates to add 64 bits to the read point, 
and to attempt then to read a block of data, starting at the position 
in the encrypted content indicated by the resulting read point . The 
plurality of instruction codes further indicates to read the block 

10 of data from the position indicated by the read point if the position 
lies within the encrypted content , and to output am end code indicating 
that block reading has ended if the position indicated by the read 
point lies outside the encrypted content. Note that one block is 
data with a bit length of 64 . 

15 0066 

The instruction code set S215 includes a plurality of 
instruction codes that indicates to end processing by the content 
decryption program 232 is if the end code is outputted from the 
instruction code set S214 , and to pass control to the next instruction 

20 code set S216 if the end code is not outputted. 

The instruction code set S216 includes a plurality of 
instruction codes that indicates to call the decryption program 234 
with the read key and the read first block. 
0067 

25 The instruction code set S217 includes a plurality of 

instruction codes that indicates to write the single decrypted block 
generated by the decryption program 234 to the encrypted content 
region 236 of the memory 203. 
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The instruction code set S218 includes a plurality of 
instruction codes- that indicates to pass control to the instruction 
code set S214 . 

0068 

5 (c) Playback program 233 

The playback program 233 is composed of the instruction code 
sets S218, S219, and S220 as shown in FIG. 10, and these instruction 
code sets are arranged in the stated order in the playback program 
233 . Each of the instruction code sets contains one or more instruction 
10 codes. 

0069 

The instruction code set S218 includes a plurality of 
instruction codes that indicates to read at least one decrypted block 
from the encrypted content region 236 of the memory unit 203. 

15 The instruction code set S219 includes a plurality of 

instruction codes that indicates to generate the video data and audio 
data from the read decrypted block, to convert the generated video 
data and audio data, and to output the resulting video signals and 
audio signals to the monitor 208 via the display control unit 205. 

20 0070 

The instruction code set s220 includes an instruction code 
indicating a next step of passing control to the instruction code 
set S218. 

25 (d) Decryption program 234 

The decryption program 234 is composed of a decryption control 
module 241, a expanded key generation module 242, an addition module 
243, a rotation module A_244, a rotation module B_245, a rotation 

26 



module C_246, and a rotation module D_247, as shown in FIG. 11. 
0071 

Each module is a program composed of combination of instruction 
codes in a machine language format . The machine language format can 
be decoded and executed by the microprocessor 201. 

A description of the expanded key generation module 242, the 
rotation module A 244 , the rotation module B 245 , the rotation module 
C_246 / and the rotation module D_247 is omitted here, since they 
are respectively identical to the expanded key generation module 
142 , the rotation module A 143 , the rotation module B 144 , the rotation 
module C_145, and the rotation module D_146, shown in FIG. 5. 

0072 

Decryption control module 241 

The decryption control module 241 is composed to include 
instruction code sets S221 to S240 as shown in FIGs. 12 and 13, and 
these instruction code sets are arranged in the stated order in the 
decryption control module 241. Each instruction code set includes 
one or more instruction codes. 

0073 

The instruction code set S221 includes a plurality of 
instruction codes that indicates to receive a single block of 
ciphertext M and the key K from the caller program which called the 
decryption control module 241. Note that one block is data with a 
bit length of 64 

The instruction code set S222 includes a plurality of 
instruction codes that indicates to call the received key K and the 
expanded key generation module 242. Execution of the instruction 
code set S222 results in the generation of the 8 expanded keys Kl, 



K2 , K3 / ... / K8 . 
0074 

The instruction code set S223 includes an instruction code 
which defines data Ml and an instruction code which defines data 
M2. The data Ml are the 32 most significant bits of the received 
ciphertext M, and the data M2 are the 32 least significant bits of 
the received ciphertext M. 

The instruction code set S224 includes a plurality of 
instruction codes that indicates to take the XOR sum of the data 
Ml and the data M2 , and to store the result of this operation in 
a variable TMP1 . 

0075 

TMP1 = Ml XOR M2 

The instruction code set S225 includes a plurality of 
instruction codes that indicates to call the addition module 243 
with the variable TMP1 and the expanded key Kl, and to store the 
result of the operation in a variable TMP2 . As a result TMP2 = TMP1 
+ Kl is calculated by the addition module 243. 

0076 

The instruction code set S226 includes a plurality of 
instruction codes that indicates to call the rotational module 
A 244 with the variable TMP2 , and to store the result of the operation 
in a variable TMP3 . 

TMP3 = Rot2(TMP2) + TMP2 + 1 

The instruction code set S227 includes a plurality of 
instruction codes that indicates to call the rotational module B 
245 with the variable TMP2, and to store the result of the operation 
in a variable TMP4 . 
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0077 

TMP4 = Rot4 (TMP3) XOR TMP3 

The instruction code set S228 includes a plurality of 
instruction codes that indicates to perform an XOR operation on the 
5 variable TMP4 and the data Ml , and to store the result of the operation 
in a variable TMP5 . 

TMP5 = TMP4 XOR Ml 

The instruction code set S229 includes a plurality of 
instruction codes that indicates to call the addition module 243 
10 with the variable TMP5 and the expanded key K2, and to store the 
result of the operation in a variable TMP6 . As a result TMP6 = TMP5 
+ K2 is calculated by the addition module 243 . 
0078 

The instruction code set S230 includes a plurality of 
15 instruction codes that indicates to call rotation module A244 with 
the variable TMP6 , and to store the result of the operation in a 
variable TMP7 . 

TMP7 = Rot2(TMP6) + TMP6 + 1 

The instruction code set S231 includes a plurality of 
20 instruction codes that indicates to call the rotation module C246 
with the variable TMP7 and to store the result of the operation in 
a variable TMP8 . 
0079 

TMP8 = Rot8(TMP7) XOR TMP7 
25 The instruction code set S232 includes a plurality of 

instruction codes that indicates to call the addition module 243 
with the variable TMP8 and the expanded key K3 , and to store the 
result of the operation in a variable TMP9 . As a result, TMP9 = TMP8 



+ K3 is calculated by the addition module 243. 
0080 

The instruction code set S233 includes a plurality of 
instruction codes that indicates to call the rotation module A244 
with the variable TMP9, and to store the result of the operation 
in a variable TMP10 . 

TMP10 = Rot2(TMP9) + TMP9 + 1 

The instruction code set S234 includes a plurality of 
instruction codes that indicates to call rotation module D_247 with 
the variable TMP7 and the variable TMP10, and to store the result 
of the operation in a variable TMP11. 

0081 

TMP11 = Rotl6(TMP10) + (TMP10 AND TMP7) 

The instruction code set S235 includes a plurality of 
instruction codes that indicates to perform an XOR operation on the 
variable TMPll and the variable TMP1, and to store the result of 
the operation in a variable TMP12 . 

TMP12 = TMP11 XOR TMP1 

The instruction code set S236 includes a plurality of 
instruction codes that indicates to call the addition module 243 
with the variable TMP12 and the expanded key K4, and to store the 
result of the operation in a variable TMP13 . As a result, TMP13 = 
TMP12 + K4 is calculated by the addition module 243. 

0082 

The instruction code set S237 includes a plurality of 
instruction codes that indicates to call the rotation module A244 
with the variable TMP14, and to store the result of the operation 
in a variable TMP14 . 



TMP14 = Rot2(TMP13) + TMP13 + 1 

The instruction code set S238 includes a plurality of 
instruction codes that indicates to perform an XOR operation on the 
variable TMP14 and the variable TMP4, and to store the result of 
5 the operation in a variable TMP15 . 
0083 

TMP15 = TMP14 XOR TMP4 

The instruction code set S239 includes a plurality of 
instruction codes that indicates to perform an XOR operation on the 
10 variable TMP15 and the variable TMP12, and to store the result of 
the operation in a variable TMP16 . 

TMP16 = TMP15 XOR TMP12 

The instruction code set S240 includes plurality of instruction 
codes that indicates to output a 64 -bit integer having the variable 
15 TMP15 as its 32 most significant bits and the variable TMP16 as its 
least significant bits, as a decrypted text M, to the caller program. 

0084 

Addition module 243 

The addition module 243 is a program that calculates data a 

20 + b from input data a and b, and outputs the data a + b. As shown 
in FIG. 14 the addition module is composed of a conversion unit 251, 
a main calculation unit 252, and an inverse conversion unit 253, 
as shown in FIG. 14. The conversion unit 251 includes a parameter 
storage unit 261 and a power operation unit 262 . The main calculation 

25 unit 252 includes a parameter storage unit 263 and a multiplication 
unit 264 . The inverse calculation unit 253 includes a parameter storage 
unit 265, a discrete logarithm calculation unit 266 , and a CRT (Chinese 
Remainder Theorem) unit 267. 



0085 

(i) Definition of each parameter and symbol, and description of input 
da ta condi tions 

The following gives definitions of the various parameters and 
5 symbols, and describes conditions on the input data to the addition 
module 243 . 

Let pi (i = 1, 2, k) be mutually differing prime numbers. 
Each pi(i = 1, 2, k) denotes a small prime number so that, say, 
Pi = 3, p 2 = 5, p 3 = 7, p 4 = 13,..., and k = 17 . Let n be the product 
10 of these primes Pi x p 2 x ... x p*, where the symbol "x" denotes a 
multiplication. The product n may be a number that can be expressed 
using approximately 64 bits. In the case that k = 17, n = pi x p 2 
x ... x p^ > 2 

0086 

15 pi (i = 1, 2, k) are stored by the inverse conversion unit 

253, and n is stored by both the conversion unit 251 and the main 

calculation unit 252. 

The addition module 243 performs multiplicative group 

operations in the integer residue ring Z/nZ, which is composed of 
20 integers modulo n. Let g be a pre-assigned value belonging to the 

multiplicative group and a primitive element for pi (i = 1, 2, 

k) . 

0087 

Saying that g is the primitive element for Pi (i = 1, 2, 
25 k) means that for each p±, g has a value such that when m is given 
values of 1, 2, the first value of m that satisfies g m = 1 mod 
Pi is pi - 1 . 

Let L = LCM (pi - 1, p 2 - 1, Pk - D , where LCM (pi - 1, p 2 



- 1, p k - 1) denotes the Least Common Multiple of p x - 1, p 2 - 1, 

Pk - 1- 
0088 

The input data a and b are each non-negative integers smaller 
5 than L/2 . 

(ii) Construction of conversion unit 251 

The conversion unit 251 includes the parameter storage unit 
261 and the power operation unit 262. 
10 The parameter storage unit 261 stores n and g. 

The power operation unit 262 receives the input data a and 
b, calculates 

g a = g a mod n and 
gb = g* 3 mod n 

15 for the received input data a and b, and outputs the obtained 

g a and g b to the main calculation unit 252 . 
0089 

(Hi) Construction of main ca.lcula.tion unit 252 

The main calculation unit 252 includes the parameter storage 
20 unit 263 and the multiplication unit 264. 

The parameter storage unit 263 stores the parameter n. 
The multiplication unit 264 receives g a and gb from the power 
operation unit 262, calculates 
gab = g a x g b mod n 

25 for the received g a and g b/ and outputs the obtained gab to the 

inverse conversion unit 253. 
0090 

(iv) Construction of inverse conversion unit 253 

33 



The inverse conversion unit 253 includes the parameter storage 
unit 265, the discrete logarithm calculation unit 266, and the CRT 
unit 267. 

The parameter storage unit 265 stores pi , p 2 , p* . 
5 The discrete logarithm calculation unit 266 receives g^ from 

the multiplication unit 264, and calculates the discrete logarithms 
Ci mod pi -1, of g^ mod P± (i = i/ 2 / •••/ k ) with respect to a base 
of g mod pi. 

0091 

10 In other words, the discrete logarithm calculation unit 266 

calculates ci mod Pi -1 (i = 1, 2, k) satisfying g^ = g ci mod pi 
-1 (i = 1, 2 , ... , k) , and then outputs the obtained c± mod p ± - 1 (i 
= 1, 2, k) to the CRT unit 267. 

Various calculation methods exist for calculation of c ± mod 
15 pi -1 by the discrete logarithm calculation unit 266. The following 
is one such method. 
0092 

Here, w is put to 1, 2, 3... in the stated in order to find w 
satisfying g w = g^ mod p ± . The thus found w is designated as Ci. 
20 Alternatively the calculation results 
g 1 / g 2 /— / g <pi ~ 2) mod pi for each pi 

may be stored as a table, and the table searched to find the 
value of g w that equals g^ mod Pi. This in turn gives a value of w 
to designate as Ci. 
25 The CRT unit 267 receives the c ± mod p ± - 1 (i = 1, 2, 3, ...,k) 

from the discrete logarithm calculation unit 266, and finds the 
discrete logarithm c mod L of gab_mod n with respect to base g mod 
n from the received c± mod p ± - 1 (i = 1, 2, 3, ...,k) using the Chinese 



Remainder Theorem. In other words the CRT unit 267 finds c to satisfy 
Ci = c mod pi-1 (i = 1, 2, 3, ...,k) . 
0093 

To find c mod L (where L = LCM (p 2 - 1 , p 2 - 1,..., Pk - D ) from 
5 the discrete logarithm c± mod pi - 1 (i = 1 , 2, 3 , k) using the Chinese 
Remainder Theorem, the following method is used. 
0094 

In order to avoid complicated expressions, let m± = p± - 1. 
First it is calculated that 
10 u 2 = mi x (mi -1 mod (m 2 /GCD(mi, m 2 ) ) ) x (c 2 - Ci) + c x 

where GCD (a, b, c.) indicates the Greatest Common Divisor of 
a , b , c ... . 

Next, it is calculated that 

u 3 = (mi x m 2 ) x ((mi x m 2 ) _1 mod (m 3 /GCD(mi, m 2 , m 3 ) ) ) x (c 3 - 
15 u 2 ) + u 2 , and 

U4 = (mi x m 2 x m 3 ) x ( (m x x m 2 x m 3 ) _1 mod (xn^/GCD (m lf m 2/ m 3/ m 3 ) ) ) 
x ( c 4 - u 3 ) + u 3 . 

Similarly, u lf u 2/ ..., u k _i are calculated in this order . Lastly, 
the following is calculated: 
20 u k = (m x x m 2 x m 3 x... x m k _i) x ( (mi x m 2 x... x irik-i)" 1 mod (m^/GCD (m lf 

m 2/ m 3 , m4,... , m k _i) ) ) x (Ck - u k -i) + u k -i- 
0095 

Next, c = u k is calculated to obtain c. 

Note that a method for calculating the c mod L that satisfies 
25 c mod pi - 1 = Ci from the Ci (i = 1, 2, 3..Jc) using the CRT 267 is described 
in detail in the non-patent document 2 . 

Next, the CRT unit 267 outputs the obtained c to the caller 
program which called the addition module 243 . 
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(v) Operation of addition using addition module 243 

Operations of addition using the addition module 243 are 
described with reference to the flow-chart shown in FIG. 15. 
5 The power operation unit 262 receives the input data a and 

b from the caller program which called the addition module 243 (Step 
S3 01) , and calculates g a = g a mod n and g b = g 33 mod n for the input 
data a and b (Steps S302 and S303) . 

0097 

10 Next, the multiplication unit 264 calculates gab = ga x gb mod 

n for g a and g b (Step S304) . 

Next, the discrete logarithm calculation unit 266 finds Ci 
mod pi-1 (i = l, 2, 3, ...,k) satisfying g^ = g ci mod pi (i = l,2,...,k) 
(Step S3 05) . The CRT unit 267 finds c satisfying c± = c mod pi - 1 
15 (i = 1, 2,... , k) (Step S306) , and outputs the obtained c to the caller 
program which called the addition module 243 (Step S3 07) . 
0098 

(vi) Verification of addition operation by addition module 

It is verified below that the addition unit 243 outputs the 

20 data a + b for the input data a, b. 

g a = g a mod n and g b = g* 3 mod n are calculated for the input 
data a and b in the conversion unit 251, and g^ = g a x gb mod n is 
calculated in the main calculation unit 252. At this stage, it is 
obvious that gab = g (a + b) mod n is satisfied. 

25 The inverse conversion unit 253 calculates c± that satisfy 

gab = g cl mod p± (i = 1, 2,... , k) from g and gab/ and calculates c mod 
L to satisfy c = c ± mod pi - 1. Here, c satisfies gab = g c mod n. This 
is because a + b = c mod L gives 



g (a + b " c) = l mod n. Thus, since c satisfies g <a + b) mod n = g c mod n, 
c also satisfies a + b = c mod ( (pi - 1) x (p 2 - 1) x... x (p k - 1) ) . 
a < L/2 and b < L/2 gives a + b < L. Thus, the addition module 243 
will output data a + b, the sum of data a and data b. 
5 0099 

1.4 Effects of the First Embodiment 

The addition module 243 converts the values that are to be 
added. Note that even when the conversion unit 251 and the inverse 
conversion unit 253 are difficult to analyze, there is a risk that 

10 an analyst will discover the values g a , g b and g^, and discover the 
processing by which g^ is calculated from g a and g b . However, even 
in the event that the values g a , g b and gab are discovered, it is still 
difficult to infer the unconverted values a and b from the converted 
values g a and g b . Moreover, the addition module 243 performs 

15 multiplication in the main calculation unit 252, and it is difficult 
infer from this operation of multiplication that the addition module 
243 is in fact realizing an addition. Consequently, the first 
embodiment has the effect of making it possible to conceal not only 
the input values to the addition operation, but also the operation 

20 itself. 

0100 

The decryption control unit 241 uses the addition module 243 
when adding the key to other data. Consequently, it is difficult 
to infer the values that are being added, including the values of 
25 the key. Moreover, even if the analyst knows the encryption algorithm 
it is difficult for them to infer that the key addition portion is 
performing an addition involving the key. Therefore, even an analyst 
carrying out an attack specifically to find the key addition portion 



characteristic of encryption algorithms will have difficulties due 
to the difficulty of finding the key addition portion. Hence, the 
embodiment is effective in making an attack by an analyst difficult. 
0101 

5 2 . Second Embodiment 

The addition module 501 may be used in place of the addition 
module 243 of the first embodiment . The additionmodule 501 is described 
below. 

10 2.1 Construction of addition module 501 

The addition module 501 is a program that calculates the data 
a + b from data a and data b and outputs the data a + b, similarly 
to the addition module 243. The addition module 501 is composed of 
a conversion unit 511, a main calculation unit 512, and an inverse 

15 conversion unit 513, as shown in FIG. 16. The conversion unit 511 
is composed of a parameter storage unit 521 , a random number generation 
unit 522, and a power operation unit 523. The main calculation unit 
512 includes a parameter storage unit 524 and a multiplication unit 
525. The inverse conversion unit 513 includes a parameter storage 

20 unit 526, a discrete logarithm calculation unit 527, and a reduction 
unit 528. 

0102 

2 . 2 Definition of each parameter and symbol , and description of input 
data conditions 

25 The following gives definitions of each parameter and symbol 

used in the addition module 501 , and describes input data conditions . 

Let p and q be prime numbers, and let n = p 2 x q. p and q are 
stored by the inverse conversion unit 513, and n is stored by both 



the conversion unit 511 and the main calculation unit 512. 
0103 

The addition module 501 uses multiplicative group operations 
of an integer residue ring Z/nZ, which is composed of integers modulo 
n. Let g be a pre-assigned number belonging to the multiplicative 
group and the order of g (p_1) mod p 2 be p. Moreover, let g p be defined 
as g (p " 1) mod p 2 . 

Input data a and b are non-negative numbers each smaller than 

p/2. 

0104 

2.3 Construction of conversion unit 511 

The conversion unit 511 is composed of a parameter storage 
unit 521, a random number generation unit 522, and a power operation 
unit 523. 

The parameter storage unit 521 stores the parameters n and 

g- 

The random number generation unit 522 generates random numbers 
Rl and R2, neither of which is greater than n. 
0105 

The power operation unit 523 calculates 
g a = g A (a + n x Rl) mod n, and 
g b = g A (b + n x R2) mod n 

for the input data a and b using the random numbers Rl and 
R2 calculated by the random number generation unit 522. 

In this specif ication, the symbol is an operator indicating 
a power. For instance, a^b = a b . In this specification a^b and a b 
type expressions are variously used for ease of expression. 

0106 



Next, the power operation unit 523 outputs the results g a and 
g b to the main calculation unit 512 . 

2.4 Construction of main calculation unit 512 

5 The main calculation unit 512 is composed of a parameter storage 

unit 524 and a multiplication unit 525. 

The parameter storage unit 524 stores n. 

The multiplication unit 525 receives the calculation results 
g a and g b from the power operation unit 523 , calculates gab = g a x 
10 g b for the received g a and g b , and outputs the result gab to the inverse 
conversion unit 513 . 

0107 

2.5 Construction of inverse conversion "unit 513 

The inverse conversion unit 513 is composed of a parameter 
15 storage unit 526, a discrete logarithm calculation unit 527, and 
a reduction unit 528. 

The parameter storage unit 526 stores p. 

The discrete logarithm calculation unit 527 receives the 
calculation result gab from the multiplication unit 525, calculates 
20 c p = g a b <p " 1) mod p 2 

for the received gab using the parameter p that is stored in the parameter 
storage unit 526, and subsequently outputs c p to the reduction unit 
528. 

0108 

25 The reduction unit 528 receives c p from the discrete logarithm 

calculation unit 527, calculates the discrete logarithm c of c p with 
respect to base g p mod p 2 using the received c p , and outputs the obtained 
discrete logarithm c, to the caller program. 
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The calculation method for c in the reduction unit 528 is 
described in more detail in patent document 2 . In practice , it involves 
the following. 

0109 

The reduction unit finds, for c p/ a c satisfying 
c = (c p - 1) / (g p - 1) mod p. 

2.6 Addition operations by addition module 501 

The addition operations by the addition module 501 are described 
with reference to the flow-chart shown in FIG. 17. 

The power operation unit 523 receives the input data a and 
b from the caller program (Step S3 11) , the random number generation 
unit 522 generates the random numbers Rl and R2 neither of which 
is greater than n (Step S312) , and the power operation unit 523 
calculates 

g a = g^ (a + n x Rl) mod n, and 

g b = g A (b + n x R2) mod n (Step S313 to S314) . 
0110 

Note that, in this specification, the symbol wA " is an operator 
indicating a power. For instance, a^b = a b . In this specification 
both "a^b" and "a b " type-expressions are variously used. 

Next, the multiplication unit 525 calculates g^ = g a x g b mod 
n (Step S315) . 

0111 

Next, the discrete logarithm calculation unit 527 calculates 
c p = gab <p_1) mod p 2 (Step S316) , the reduction unit 528 finds c such 
that c = (c p - 1) / (g p - 1) mod p (Step S317) , and subsequently outputs 
c (= a + b) to the caller program (Step S3 18) . 



0112 

2.7 Verification of addition operation by addition module 501 

It is verified below that the addition module 501 outputs a 
+ b for input data a and b. 

In the conversion unit 511, 

g a = g^(a + n x Rl) mod n, and 

g b = g A (b + n x R2) mod n 
are calculated for a and b. In the the main calculation unit 512, 
9ab = g a x gb mod n is calculated. At this stage, it is obvious that 
gab= g A (a + b+nx (Rl + R2) ) modn is satisfied. The inverse conversion 
unit 513 calculates 

c p = gab <p_1) = g P "(a + b + n x (Rl + R2)) mod p 2 . 

From g p p = 1 mod p 2 , 

g p n = l mod p 2 , 

giving c p = g p (a+b) mod p 2 

0113 

The conversion unit 513 finds the discrete logarithm c of c p 
with respect to base g p mod p 2 . In other words, c p = g p c mod p 2 is 
satisfied. Consequently, c = a + b mod p. Moreover, a < p/2 and b 
< p/2 gives a + b < p. Therefore, the addition module 501 will output 
the result of the addition of the input data a and b. 

0114 

2.8 Effects of addition module 501 

The addition module 501 converts the values that are to be 
added. Provided the conversion unit 511 and the inverse conversion 
unit 513 are difficult to analyze, it is then difficult to infer 
the unconverted values from the converted values . Moreover, the 
addition module 501 performs multiplication in the main calculation 
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unit 512 , and it is difficult to infer from the multiplication operation 
that the addition module 501 is in fact realizing an addition. 
Consequently, the addition module 501 has the effect of making it 
possible to conceal not only the input values for the addition, but 
5 also the operation of addition itself. 
0115 
2.9 Notes (1) 

In the addition module 501, the power operations in the 
multiplicative group of the integer residue ring Z/nZ are performed 

10 by the conversion unit 511. The discrete logarithm problem in the 
multiplicative group of the integer residue ring Z/p 2 Z, which is a 
subgroup of the multiplicative group of the integer residue ring 
Z/nZ, is solved by the inverse conversion unit 513. Consider the 
case in which the analyst does not know p or q but has been able 

15 to discover that power operations are being performed in the conversion 
unit511. In this case, only the inverse conversion unit 513 is difficult 
to analyze. However, if n is large enough to make prime factorization 
difficult (of the order of 1024 bits) , p and q are very difficult 
to obtain since to do so would require a prime factorization of n. 

20 Without obtaining p and q, the discrete logarithm problem in the 
multiplicative group of the residue integer ring Z/nZ is hard. 
Generally, when the size (number of elements) of a multiplicative 
group is large (of the order of 1024 bits, for instance) , the discrete 
logarithm problem in the group is hard. In the addition module 501, 

25 if p is known, the discrete logarithm problem in the multiplicative 
group Z/p 2 Z is easily solvable by inverse conversion in the inverse 
conversion unit 513 . The addition module 501 differs from the addition 
module 243 in that the addition module 501 makes use of the fact 



that inverse conversion is easy if p is known but difficult if p 
is unknown. 
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2.10 Notes (2) 

5 The addition module 501 may be composed as follows. 

Let p and q be prime numbers, and n = p m x q, where m is an 
integer. The addition module 501 makes use of calculations in the 
multiplicative group of the integer residue ring composed of integers 
modulon . Let gbe a pre -as signed number belonging to the multiplicative 
10 group where the order of g (p_1) mod p m is p. Moreover, define g p = g (p_1) 
mod p m . 
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The discrete logarithm calculation unit 527 receives the 
calculation result g^ from the multiplication unit 525, and uses 
15 the prime p stored in the parameter storage unit 526, to calculate 

c p = gab (p_1) mod p m , 
and subsequently outputs c p to the reduction unit 528. 

The reduction unit 528 receives c p from the discrete logarithm 
calculation unit 527, calculates the discrete logarithm c of c p with 
20 respect to g p modulo p m , and outputs the obtained c to the caller 
program . 
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3, Modifications (2) 

An addition module 601 may be used in place of the addition 
25 module 243 of the first embodiment . The additionmodule 601 is described 
below. The addition module 601 uses scalar multiplication on an 
elliptic curve . Elliptic curves are described in detail in non-patent 
document 3 . 
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3,1 Construction of addition module 601 

The addition module 601 is a program that calculates and outputs 
data a + b for input data a and b, similarly to the addition module 
5 243 . As shown in FIG. 18 , the addition module is composedof a conversion 
unit 611 , a main calculation unit 612, and an inverse conversion 
unit 613 . The conversion unit 611 includes a parameter storage unit 
621 and a scalar multiplication unit 622 . The main calculation unit 
612 includes aparameter storage unit 623 andanelliptic curve addition 
10 unit 624, and the inverse conversion unit 613 includes a parameter 
storage unit 625, a reduction unit 626, and a discrete logarithm 
calculation unit 627. 
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3 . 2 Definition of each parameter and symbol , and input data conditions 

15 The following description gives definitions of the various 

parameters and symbols used in the addition module 601, and describes 
input data conditions . 

Let p and q be prime numbers, and let n = p x q. p and q are 
stored by the inverse conversion unit 613, and n is stored by both 
20 the conversion unit 611 and the main calculation unit 612. 
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Let the equation for an elliptic curve E be 
y 2 =x 3 +Axx + B, where A and B are parameters of the elliptic 
curve E. 

25 Let G = (Xg, y g ) modnbe apoint on the elliptic curve E satisfying 

y g 2 = Xg 3 + AxXg + B mod n . 

A, B and G are stored by the conversion unit 611, the main 
calculation unit 612, and the inverse conversion unit 613. 
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The group composed of points in a field GF(p) which satisfy 
the equation of the elliptic curve E is denoted E(GF(p) ) . Similarly, 
the group composed of points in a f ieldGF (q) which satisfy the equation 
5 of the elliptic curve E is denoted E ( (GF (q) ) . 

The elliptic curve group over Z/nZ is denoted as the product 
of E(GF(p)) andE(GF(q)), which is E(GF(p)) x E (GF (q) ) . Note that 
since Z/nZ is a ring rather than a field, mathematically E(GF(p)) 
x E (GF (q) ) cannot be called an elliptic curve. However, for convenience , 
10 E(GF(p) ) x E (GF (q) ) is called a direct product elliptic curve group 
over Z/nZ. 
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For the point G = (Xg , y g ) mod n of the elliptic curve E (GF(p) ) 
x E (GF (q) ) over Z/nZ, which corresponds to the point Gp = (Xgp, ygp) 
15 mod p in E(GF(p) ) and to the point G q = (Xgq, ygq) mod q in E (GF (q) ) , 
Xg is defined as a number satisfying 
Xg mod p = Xgp and 
Xg mod q = Xgq 

and y g is defined as a number which satisfies 
20 y g mod p = ygp and 

y g mod q = ygq 
0124 

According to this definition, a point Gp in E(GF(p)) 
corresponding to the point G = (Xg, y g ) mod n in E(GF(p) ) x E (GF (q) ) 
25 is 

Gp = (Xgp, ygp) mod p, 

and a point G q in E (GF (q) ) is 

G q = (Xgq, ygg) . 
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Hence, E(GF(p)) and E (GF (q) ) are regarded as subgroups of 
E(GP(p) ) x E(GP(q) ) . 
0125 

In the addition unit 601, the elliptic curve E is an elliptic 
curve modulo p whose order (the number of points on the curve) is 
p. This kind of elliptic curve over the field GF(p) is known as an 
anomalous elliptic curve. 

Further, the elliptic curve E is an elliptic curve modulo q. 
This means that GF(q) is also an anomalous elliptic curve. 
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The elliptic curve over Z/Zn is known as a Super- anomalous 
elliptic curve. Super -anomalous elliptic curves are described in 
non- patent document 4 . 

Thegroupof the elliptical curve over Z/nZ is E(GF(p) ) x E (GF (q) ) , 
meaning that the order of this elliptical curve is 

n (= p x q) . 
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The input data a and b are non-negative numbers smaller than 

p/2. 

3.3 Construction of conversion unit 611 

The conversion unit 611 is composed of a parameter storage 
unit 621 and a scalar multiplication unit 622 . The parameter storage 
unit 621 stores parameters n, A, B, and G. 
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The scalar multiplication unit 622 receives input data a and 
b from the caller program, calculates 
G a = a * G mod n 
Gb = b * G mod n 



for the received input data a and b using the n, A, B and G stored 
in the parameter storage unit 621. 
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Note that a * G is a point obtained by adding together a lots 
of G using elliptic curve addition. Further, a * G mod n is implemented 
modulo n for each coordinate of a * G, 

The scalar multiplication unit 622 outputs the calculation 
results G a and Gb to the main calculation unit 612 . 

3.4 Construction of main calculation unit 612 

The main calculation unit 612 is composed of a parameter storage 
unit 623 and an elliptic curve addition unit 624 . 
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The parameter storage unit 623 stores n, A and B. 

The elliptic curve addition unit 624 receives the calculation 
results G a and Gb from the scalar multiplication unit 622, executes 
elliptic curve addition on G a and Gb using the n, A and B stored in 
the parameter storage unit 623 to calculate 

Gab = G a + Gb mod n, 
and outputs the calculation result Gab to the inverse conversion unit 
613. 
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3.5 Construction of inverse conversion unit 613 

The inverse conversion unit 613 is composed of a parameter 
storage unit 625, a reduction unit 626, and a discrete logarithm 
unit 627. 

The parameter storage unit 625 stores p, A, B, and G mod p. 
The reduction unit 626 receives the calculation result Gab from 
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the elliptic curve addition unit 624 for the received G^, uses the 
p stored in the parameter storage unit 625 to calculate 
Gabp = mod p, 

and outputs the calculation result to the discrete logarithm 
5 calculation unit 627. 
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The discrete logarithm calculation unit 627 calculates the 
discrete logarithm c mod p of Gabp with respect to base G mod p. In 
other words, the discrete logarithm calculation unit 627 finds c 
10 to satisfy G^ = c * G. Next the discrete logarithm calculation unit 
627 outputs c to the caller program. 

Note that the c found by the elliptic curve discrete logarithm 
calculation unit 627 is the solution to the discrete logarithm problem 
on the anomalous elliptic curve. A method for solving the discrete 
15 logarithm problem on anomalous curves is described in detail in 
non-patent document 3, pp 88 to 91, and a description of the method 
is therefore omitted here. 
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3.6 Operation of addition module 601 

20 The operation of the addition module 601 is described with 

reference to the flow-chart shown in FIG. 19. 

The scalar multiplication unit 622 receives the input data 
a and b from the caller program (Step S321) , and calculates 
G a = a * G mod n and 
25 Gb = b * G mod n 

for the received input data a and b using the n, A, B and G stored 
in the parameter storage unit 621 (Steps S322 and S323) . 
0134 



Next the elliptic curve addition unit 624 calculates 

= G a + Gb mod n (Step S324) . 
Next, the reduction unit 626 calculates 
Gabp = Gab mod p (Step S325) , 
5 the discrete logarithm calculation unit 627 calculates the 

discrete logarithm c of Gabp with respect to base G mod p (Step S3 26) , 
and subsequently outputs c to the caller program (Step S327) . 
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3.7 Addition module 601 operation verification 

10 It is verified below that the addition module 601 outputs the 

data a + b for the input data a, b. 
G a = a * G mod n and 
Gb = b * G mod n 

are calculated for a and b in the conversion unit 611, and Gab = G a 
15 + Gb mod n is calculated in the main calculation unit 612. 
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It is obvious at this point that Gab = (a + B) * G is satisfied. 
The conversion unit 613 first calculates 
Gabp - Gab mod p, 

20 and then the discrete logarithm c of G ap b with respect to G mod p. 
In other words, c is calculated to satisfy G ap b = c * G mod p . 
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Consequently, c = a + b mod p. Moreover, a < p/2 and b < p/2 
gives a + b < p. Therefore, given the input data a and b, the addition 
25 module 601 outputs the result of a + b. 



3.8 Effects of the addition module 601 

The addition module 601 converts the values in a similar way 
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to the addition module 243 and the addition module 501. Provided 
that the conversion unit 611 and the inverse conversion unit 613 
are difficult to analyze, this conversion makes it difficult to infer 
the unconverted values from the converted values. 
5 0138 

The addition module 601 performs elliptic curve addition in 
the main calculation unit 612 . It is difficult infer from the elliptic 
curve operation that the addition module 601 is in fact realizing 
an addition. 

10 Consequently, the addition module 601 has the effect of making 

it possible to conceal not only the input values for the addition, 
but also the operation of addition itself . 
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3.9 Notes 

15 In the addition module 601, scalar multiplications in the group 

E (GF (p) x GF ( q) ) formed by the elliptic curve over Z/nZ are performed 
by the conversion unit, and the discrete logarithm problem in the 
subgroup E(GF(p)) is solved by the inverse conversion unit. 

In the case where a person attempting to analyze the program 
20 discovers that that a power calculation is being performed in the 
in the conversion unit but does not know p and q, only the inverse 
conversion unit is difficult to analyze. 
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However, if n is large enough to make the prime factorization 
25 difficult (of the order of 1024 bits, for instance) , it is difficult 
to obtain p and q since to do so would require a prime factorization 
of n. Without obtaining p and q, it is difficult to solve the discrete 
logarithm problem in the group E (GF (p) x GF (q) ) formed by the elliptic 
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curve over Z/nZ. 

Generally, when the size (number of elements) of a group is 
large (of the order pf a 1024 bits for instance) , it is difficult 
to solve the discrete logarithm problem in the group. In the case 
5 of the addition module 601, if p is known, the discrete logarithm 
problem in the elliptic curve group is easily solvable by inverse 
conversion in the inverse conversion unit . The conversions performed 
by the addition module 601 differ from those of the first embodiment 
in that they make use of the fact that inverse conversion is easy 
10 if p is known but difficult if p is unknown. 

0141 

Other Exemplary Modifications 

Although the present invention has been described based on 
the above embodiments, the present invention is not limited to these 
15 embodiments. The following modifications are also included in the 
present invention. 

(1) The addition modules 243, 501, and 601 are described as 
performing the addition of two non-negative integers , but the addition 
modules may perform the additionof three or more non-negative integers . 

20 In this case, the conversion unit of the addition module in question 
converts each of the non-negative numbers. Next, in the case of 
addition modules 243 and 501, the main calculating unit performs 
a multiplication using the results of the conversions. In the case 
of the addition module 601, the main calculating unit performs elliptic 

25 curve addition using the results of the conversions. 
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(2) The addition modules 243, 501, and 601 were only described 
as being used in a key addition section of the decryption control 
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module 241, but each addition module may be used in other addition 
sections of the decryption control module. 

(3) In the First Embodiment, the addition module is used in 
the decryption control module 241, but the addition module may be 
5 used in the encryption control module 141, in another encryption 
program, or in a signature generating program. This invention can 
be similarly applied to any information processing operation that 
makes use of addition. 
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10 In the addition module 243, 501 and 601, an integer residue 

ring multiplicative group and a group over an elliptic curve were 
used, but other types of group may be used. 

Note also that although the integers were converted by 
performing power operations in addition modules 243 and 501, and 
15 by performing elliptic curve scalar multiplication in the addition 
module 601, other group-related power operations maybe used toconvert 
the integers . 
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Note that the power operation refers to a basic group operation, 
20 such as a multiplication in an integer residue ring or an elliptic 
curve addition in a group over an elliptic curve, that is repeated 
a number of times . 

Thus, the power operation in an multiplicative group of an 
integer residue ring is an exponentiation, and the power operation 
25 in the group over the elliptic curve is an elliptic curve scalar 
multiplication . 

In the addition module 501, the discrete logarithm problem 
is solved in the multiplicative group of the integer residue ring 
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Z/p 2 Z, which is a subgroup of the multiplicative group of the integer 
residue ring Z/nZ . When a different group is used, a conversion unit 
similar to that of the addition module 501 may solve the discrete 
logarithm problem in a subgroup of the different group. 
5 0145 

(5) In the addition module 243, g was the primitive root in 
Pi (i = 1, 2,...,k) , but g need not be the primitive root. 

When g is not the primitive root, let L = m x x m 2 x... x m k for 
m ± where g™ 1 " = 1 mod p± (mi > 0) . 

10 (6) Specifically, the above-described devices are computer 

systems each constructed from a microprocessor, ROM, RAM, a hard 
disk unit , a display unit , a keyboard, a mouse , and the like . A program 
is recorded in the RAM or in the hard disk unit . The program is composed 
of a combination of instruction codes representing instructions to 

15 the computer. Each device fulfills its function as a result of the 
microprocessor operating in accordance with the program. In short, 
the microprocessor reads the instruction codes in the program one 
at a time, decodes the read instruction codes, and operates in 
accordance with the results . 
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( 7 ) Some or all of the components constituting the above devices 
may be cons true ted using a single system LSI (Large Scale Integration) . 
System LSI is super-multifunctional LSI constructed using a plurality 
of components integrated on a single chip. Specifically, it is a 

25 computer system constructed to include a microprocessor, ROM, RAM, 
and the like . The RAM stores a program therein. The system LSI achieves 
its function as a result of the microprocessor operating in accordance 
with the program. 
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( 8 ) Some or all of the components constituting the above devices 
may be constructed using detachable IC cards or unit modules. The 
IC card or module is a computer system constructed f romamicroprocessor , 
ROM, RAM, and the like. The IC card or module may include the super 
multifunctional LSI . The IC card or module fulfills its function 
as a result of the microprocessor operating in accordance with a 
program. The IC card or module may be tamper resistant. 
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(9) The present invention may be the methods described above. 
Moreover, it may be programs that realize these methods using a 
computer—^ or the digital oignalo composed of the programs. 

Moreover, the present invention may be a computer- readable 
recording medium having the program or digital signals recorded 
thereon, examples of which include flexible disk, hard disk, CD-ROM, 
MO, DVD, DVD-ROM, DVD-RAM, BD (Blu-ray Disc) , and semi-conductor 
memory etc . Alternatively, the present invention may be the programs 
or digital signals recorded on any of these these recording media. 
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Further, the present invention may be the program or digital 
o ignal s -broadcas t or transmitted via a network or the like, typical 
examples of which include a telecommunications line, a wireless or 
cable communications line, and the Internet. 

Further, the present invent ion may be a computer system provided 
with a microprocessor and a memory, in which the memory stores the 
program and the microprocessor operates in accordance with the 
program . 
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Further, the program or digital aignalo may be implemented 
using an independent computer system by transferring the program 
or digital oignalo recorded on the recording medium , or by trans f erring 
the program or digital oignalo via the network or the like. 
5 (10) The present invention may be any combination of the above 

embodiments and modifications . 

(11) As described above, rather than simply enabling 
concealment of the values that are used in an operation, the present 
invention further enables concealment of the operation itself. It 
10 can therefore be usefully included in scrambling software and in 
devices such as IC cards. 

•^ nduatrial Applicability 

The devices , methods and programs which of the present invention 
15 can be used administratively as well as repeatedly, in all industries 
where it is necessary to manipulate information safely and reliably. 
The devices, methods, and programs that constitute the present 
invention can be manufactured and retailed repeatedly, in 
manufacturing industries producing electronic devices. 
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Abstract 



A computer system that makes it difficult to analyze the content 
of a calculation. A ^In the computer system, a power operation unit 
(262) performs the following operations using the input data "a" 
and u b" : g a = g a mod n, g b = ^ mod n. Next, in the computer system, 
a multiplication unit (264) performs the following calculation using 
g a and g b : gab = S?a x 9b mod n. Next, in the computer system, a discrete 
logarithm calculation unit (266) calculates c± mod p± - 1 to satisfy 
gab = g cl mod pi (i = 1, 2, 3,...,k) . Next, in the computer system, a 
CRT unit (267) calculates "c" to satisfy c± = c mod p ± - 1 (i = 1, 
2, 3,...,k) using the Chinese remainder theorem CRT. 



